With companies in Asia easy targets for cyberattacks, they must get their responses right when security is breached

Charles Lankester says the attack on Hong Kong toy company VTech should be a reminder to corporations that planning ahead and investing in cybersecurity are vital to build trust

PUBLISHED : Monday, 15 February, 2016, 4:31pm
UPDATED : Monday, 15 February, 2016, 4:31pm

It has been a tough few weeks for Hong Kong-listed educational toy maker VTech. Five million customer details were hacked last November through the company’s Learning Lodge app. The attack included the theft of thousands of photos of children. So far, so bad. But cyberbreaches happen all the time and there seems to be a growing resignation to this fact.

READ MORE: VTech’s ‘zero accountability clause’ for hacked or lost data on Learning Lodge app store won’t put it above the law, experts say

What made the VTech situation different? After the breach, the company changed its terms and conditions of use last December, shifting data theft liability away from the company and onto its customers.

In fairness to VTech, they made a call and I respect them for that. Nothing online can be 100 per cent secure. But, looking at the global social media storm that arose in response to their approach, I believe their decision will have implications beyond a few nasty headlines.

There are two questions about cyber risk that every management team must be able to answer in 2016. First, did they do everything they could to prevent the cyberattack they are experiencing? And, second, do they have the resources to fix it fast?

Cyber risk is insidiously becoming one of the greatest corporate vulnerabilities out there. It is an existential threat going to the heart of trust in business through the theft of customers’ personal data, money, or both.

As you are reading this, your company is likely to be under attack. Whether you know it or not. Cyberbreaches tend not to be of the “smash, grab, alarm bells ringing” type. Instead, they often take place stealthily, over long periods of time, with the attacked company being unaware of a breach. That is until it’s too late and the international news media is on the phone.

READ MORE: Hacking of Hong Kong’s VTech may prove worst cybersecurity breach of 2015 in Asia

Corporates in Asia are targeted 40 per cent more than the global average, according to FireEye Inc, a cybersecurity specialist. Law firm DLA Piper estimates that Asian institutions are twice as likely to be targeted. A recent Bloomberg article noted that corporations and governments in the Asia-Pacific region are easier targets because they “invest less in security and share less with regulators and other countries when victimised”. Looking ahead, I’d suggest three priorities for any management team considering cyber risk in 2016.

Cyber risk is insidiously becoming one of the greatest corporate vulnerabilities out there

First, have a game plan. It is vital that a company has prepared for these kinds of incidents and does not “learn by doing”. There should be the means to quickly answer questions such as, a) are you still under attack, b) are you subject to any ransom demands and, c) what actions should your customers (and partners) be taking now? There will also be great interest in the company’s preparedness. It should be ready to answer questions regarding its preparation for an attack and whether it is (or has been) working with cybersecurity experts to contain and investigate the breach.

Second, the company should get ready to answer tough questions. It’s virtually impossible to keep anything secret in this day and age, so executives should always take the stance that any attack will be public, and soon. They should also keep in mind that a cybercrime is still a crime. It is not the company that has broken the law; they are the victim. So, when are the media, customers and regulators unsympathetic? Where there is evidence management did not invest suitable time, attention or money in keeping their data and networks as secure as possible. Less than optimal security levels will not be treated kindly.

It’s virtually impossible to keep anything secret in this day and age

Third, cyber risk should be at the top of the management’s agenda. There is really no way to stop a dedicated hacker, just as there is no way to stop a dedicated thief. VTech was absolutely right about this. Management must then ask themselves whether they did everything possible to stop the thieves. Or did they leave the doors (and customers’ data and wallets) wide open to attack?

Ultimately, it is about trust. And being on your customers’ side. VTech clearly needs to work on both.

Charles Lankester is senior vice-president, reputation management, at Ruder Finn Asia